Email Hacking Incidents Result in Exposure of 8,600 Patients’ PHI

Three more healthcare organizations have discovered unauthorized individuals have gained access to the email accounts of employees and potentially accessed patients’ protected health information. In total, across the three incidents, the PHI of 8,635 patients has been exposed.

PHI of 5,319 Patients of Center for Sight and Hearing Exposed

Rockford, IL-based Center for Sight and Hearing discovered on January 23, 2019 that an unauthorized individual had gained access to the email account of an employee. The investigation revealed the account was compromised on January 18 and the account contained the PHI of 5,319 patients.

A third-party computer forensics company confirmed on February 21, 2019 that names, addresses, and scheduling information was contained in the compromised account. To improve security, Center for Sight and Hearing has implemented a new password management system and multi-factor authentication.

Harbor Behavioral Health, a network of counselling and mental health treatment centers in Northwest Ohio, discovered on February 13, 2019 that an unauthorized individual had gained access to the email account of an employee.

Assisted by a third-party computer forensics firm, Harbor determined that the hacker had access to the account for three months between December 2018 and February 2019 and that a further email account had also been compromised.

In both cases, unauthorized access to the accounts was immediately terminated and the accounts were secured. An analysis of the compromised accounts revealed they contained information such as names, dates of birth, health insurance details, and information related to the services provided by Harbor. The Social Security numbers and driver’s license numbers of a limited number of patients were also exposed. In total, the compromised email accounts contained the PHI of 2,290 patients.

Complimentary credit monitoring and identity theft protection services have been offered to all patients whose Social Security number or driver’s license number was exposed.

In addition to securing the accounts, Harbor has strengthened controls to prevent unauthorized access from external IP addresses, increased log reviews and the frequency of automated alerts, and has strengthened its security processes. Additional training has also been given to employees to help them detect and avoid phishing emails.

1,026 Individuals Impacted by Dakota County Email Account Breach

Dakota County, MN, has discovered the email account of an employee has been hacked and accessed by an unauthorized individual. The email account breach was discovered on February 13, 2019 and the account was immediately secured.

As a precaution, a forced password reset was performed on all employee email accounts to ensure no other accounts could be accessed, although the investigation confirmed that only a single account had been compromised. Third-party cybersecurity consultants were retained to conduct an investigation into the breach and confirmed the account had been accessed. It was not possible to determine whether any emails had been opened or copied.

Complimentary identity protection services have been offered to individuals affected by the breach and notification letters were sent on April 12, 2019. Dakota County has also strengthened its email security defenses to prevent further attacks.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.